Attacking MD5

8/2/2019 Attacking MD5

1/28

Attacking MD5:Tunneling & Multi-

Message Modification

Team Short Bus:

Daniel LiuJohn Floren

Tim Sperr


2/28

Agenda

Introduction The MD5 Message Digest

Description of Algorithm Our Implementation

Description of Attacks: Brute-Force/Birthday Attacks Tunneling Attacks

Our Attacks vs. Reference Attacks

Results Future Work Conclusion


3/28

MD5: Message Digest Algorithm

Developed by Ron Rivest in 1991 Described in Internet Standard RFC 1321

[1] Input: Any arbitrarily long message Output: 128-bit message digest Common uses:

Password storage File integrity verification Online certificates

Now considered broken, and unsuitable

for use


4/28

MD5: How It Works

MD5 processes its input in a series ofsteps: [1]

1. Pad the input

2. Length Extension

3. Split the input into 512-bit blocks

4. Process each block using four roundfunctions

5. Mix the result of the rounds with theprevious blocks result (or with the IV)


5/28

MD5: How It Works

MD5 Round Operations:

4 rounds, 16 operations per round

64 total operations per message block

All operations are performed on a buffer,(A, B, C, D) that stores intermediate

results (A, B, C, D) is initialized using some IV


6/28

MD5: How It Works

Source: http://en.wikipedia.org/wiki/Md5
http://en.wikipedia.org/wiki/Md5http://en.wikipedia.org/wiki/Md5


7/28

MD5: Our Implementation

Written in the C programming language

Used in the brute-force attacks

Can perform a reduced number of rounds Reducing word width was not an option withchosen attack

Could not be integrated with the tunnelingattack code due to differences inimplementation


8/28

Brute-Force Attack

A brute-force attack on a hash function usesthe birthday principle to obtain a collision in

2N/2 hashes, on average N is the number of bits of hash output

For MD5, this number is 128, so 264 hashesare necessary

Assuming we can do 1 million hashes persecond, this would still take almost 600,000years

Attacking fewer rounds doesnt help, either.


9/28

Brute-Force Attack

Our Brute-Force attack:

Tries to find two 512-bit messages thatcollide.

Generates one 512-bit message randomly

Uses a pseudorandom sequence to searchother possible messages until a collision isfound

Takes waaaaaay too long.


10/28

Multi-Message Modification

Sophisticated attack on MD5 (basis of Tunneling)

Relies on choosing a set of values Q based on a set ofsufficient conditions.

Q is a set of 64 values one for each round operation of MD5

Q[1]=IV[1]+RL(F(IV[1],IV[2],IV[3])+IV[0]+x[0]+0xd76aa478, 7)Q[64]=Q[63]+RL(I(Q[63],Q[62],Q[61])+Q[60]+x[9]+0xeb86d391,21);

Where:

F(X,Y,Z) = X Y or (not(X) Z) (round 1 function)G(X,Y,Z) = X Z or (Y not(Z)) (round 2 function)H(X,Y,Z) = X xor Y xor Z (round 3 function)I(X,Y,Z) = Y xor (X or not(Z)) (round 4 function)

Sufficient conditions are designed such that(where M and M* are single block (512-bit) messages, C1 and C3 areconstants):

If M M* = C1 then

MD5(M) MD5(M*) = C3


11/28

Subset of sufficient conditions

[3] Vlastimil Klima, Tunnels in Hash Functions: MD5Collisions Within a Minute, Cryptography ePrintArchive, Report 2006/105, 2006.


12/28

Differential Path

For 16 word (512-bits) messages if C1[4] = 0x80000000,C[11] = 0x00008000, C[14] = 0x80000000

Differential Path: [3] QM[1] QM*[1] = 0x00000000

QM [2] QM*[2] = 0x00000000

QM [3] QM*[3] = 0x00000000

QM [4] QM*[4] = 0x00000000

QM

[5] QM*

[5] = 0xFFFFFFC0

QM [6] QM*[6] = 0x807FFFC0

QM [7] QM*[7] = 0xF87FFFBF

QM [61] QM*[61] = 0x80000000 = IVM[0] IVM*[0]

QM [62] QM*[62] = 0x82000000 = IVM[1] IVM*[1]

QM [63] QM*[63] = 0x82000000 = IVM[2] IVM*[2] QM [64] QM*[64] = 0x82000000 = IVM[3] IVM*[3]


13/28

Differential Path

Now messages hash differ by a constant difference, but the goalis to make two messages with the same hash

Add a second block N and N* to M and M*

X X* = (M, N) (M*, N*) = (C1,C2)

Design sufficient conditions for N given an IV difference of:IVM[0] IVM*[0] = 0x80000000IVM[1] IVM*[1] = 0x82000000

IVM[2] IVM*[2] = 0x82000000IVM[3] IVM*[3] = 0x82000000 ([3],[5])

Such that the final difference in hashes is:

MD5(N) MD5(N*) = 0 and thus MD5(X) MD5(X*) = 0

The initial message difference constants (C1,C2) and allsufficient conditions were chosen based strong statistical anddependency analysis.


14/28


15/28

Tunneling: The Q9 Tunnel

Calculations for Q[9-12]As given in [3]:

Q[9] = Q[8] + RL(F(Q[8], Q[7], Q[6],) + Q[5] + x[8] + 0x698098d8, 7);Q[10] = Q[9] + RL(F(Q[9], Q[8], Q[7],) + Q[6] + x[9] + 0x8b44f7af, 12);

Q[11] = Q[10] + RL(F(Q[10], Q[9], Q[8],) + Q[7] + x[10] + 0xffff5bb1, 17);

Q[12] = Q[11] + RL (F(Q[11], Q[10], Q[9],) + Q[8] + x[11] + 0x895cd7be, 22);

F(X, Y, Z) = (X and Y) or ((not X) and Z)


16/28

Tunneling: The Q9 Tunnel

Q[10] depends on Q[9]; adjust x[9] to fix

Q[13] will also be changed, adjust x[12]

The changes to Q[9], x[8], x[9], and x[12]do not affect anything else before the Q[24] Subsequent Q's are probabilistic

Rearrange Q[9]'s tunnel bits for different POV's

In actuality, conditions on Q[9-11] meanthat only 3 bits can be changed this way

23 different combinations


17/28

Multiple Tunnels

Klima found tunnels on Q[4], Q[9],Q[10], Q[13], Q[14], and Q[20]

These can be applied simultaneously tosignificantly reduce computation times


18/28

Tunneling: Implementation

Although simple in concept,implementing multi-message

modification and tunneling was difficult Could not find specifications of all conditions

Actual order in which to check and applyconditions unclear

Only one existing public implementation offull tunneling attack (Klima)


19/28

Tunneling: Independent Attempt

Attempted to design independentimplementation of tunneling Used published conditions and attempted to

reverse-engineer other conditions fromKlima's code

Complex inter-tunnel dependencies

New dependencies that are not documented Poorly-formatted code base

Independent implementation was notsuccessful.


20/28

Klimas Attack

Eventually forced to use Klima's codedirectly to get some results Code was cleaned up where possible Modified to run for 2 rounds or the full 4

rounds

Was not possible to run for 1 or 3 rounds

due to design of differential path


21/28

Klimas Attack

2 round reduction was possible due to properties ofdifferential path: [3]

QM[29] QM*[29] = 0 = IVM[0] IVM*[0]

QM[30] QM*[30] = 0 = IVM[1] IVM*[1]

QM[31] QM*[31] = 0 = IVM[2] IVM*[2]

QM[32] QM*[32] = 0 = IVM[3] IVM*[3]

Which means the hashes of M and M* at step 32 are thesame

For 1 and 3 round reduction the hash difference of M andM* are new differences, so in order to cancel the hashvalue the second set of conditions for N and N* must berediscovered.


22/28

Klimas Attack

main() seeds prng, calls function to find block 1 Block 1 function sets up deterministic values of

Q and finds message block x It then uses nested for() loops to iteratively checkthrough every possible combination of tunnels

If the probabilistic conditions are met, it calls the block2 function

Block 2 function behaves much like block 1function but with new conditions andinitialization vectors

If colliding messages are found, they areprinted along with the elapsed time


23/28

Results

Brute-Force Attack:

No collisions found after ~24 hours, for areduced number of rounds.

Full MD5 brute-force would take the same

amount of time if not longer. We would all most likely be dead before a

single collision is found.


24/28

Results

Tunneling Attacks:

It takes less than a minute to find a randomcollision for full MD5.

Compare this to the ~8 hours taken using astandard multi-message modification attack.[5]

Reduced-round attacks for 1 and 3 roundscould not be performed, because that would

require changing the differential scheme.


25/28

Future Work

As of now, MD5 is officially consideredcracked.

Rainbow tables used to crack commonpasswords

Programs exist that can find MD5collisions for self-extracting archives

Tunneling, however, can be extended toother hash functions, such as SHA-1,SHA-2


26/28

Conclusion

Tunneling is an effective modification of asophisticated attack on MD5, and allows

collisions to be found very quickly Additional work can be done to locate tunnels for

MD5 and publishing the details of such attacks

Tunneling with Multi-Message Modification can beimplemented on SHA-0, SHA-1, and SHA-2hashes, if the dependencies between steps canbe analyzed to generate sufficient conditions andnew tunnels


27/28

References

[1] The MD5 Message-Digest Algorithm, International Engineering Task Force,RFC1321, April 1992, http://www.ietf.org/rfc/rfc1321.txt

[2] Vlastimil Klima, Finding MD5 Collisions a Toy For a Notebook,Cryptography ePrint Archive, Report 2005/075, 2005.

[3] Vlastimil Klima, Tunnels in Hash Functions: MD5 Collisions Within a Minute,Cryptography ePrint Archive, Report 2006/105, 2006.

[4] Wang Yu, Chen Jianhua, He Debiao, "A New Collision Attack on MD5,"Networks Security, Wireless Communications and Trusted Computing,International Conference on, vol. 2, pp. 767-770, 2009 InternationalConference on Networks Security, Wireless Communications and TrustedComputing, 2009.

[5] Xiaoyun Wang and Hongbo Yu, How to Break MD5 and Other HashFunctions, In Advances in Cryptography - EUROCRYPT 2005, pp.19-35,Springer-Verlag, May 2005.

[6] Vlastimil Klima, Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications, Cryptography ePrint Archive, Report 2005/102, 2005.
http://www.ietf.org/rfc/rfc1321.txthttp://www.ietf.org/rfc/rfc1321.txthttp://www.ietf.org/rfc/rfc1321.txt


28/28

Questions?

Documents

Attacking MD5